Access Revocation

ABSTRACT

Systems and apparatuses for revoking access to one or more applications for one or more individuals or users are provided. In some examples, revocation settings may be received from different business divisions or enterprises or business groups within an entity and may be compiled to form a standardized set of revocation settings that may be applied across the entity. Accordingly, upon receiving an item that may be associated with access and may include one or more applications to which access may be revoked and/or one or more users from which access may be revoked, the system may apply the standardized revocation settings to determine whether access should be revoked. If it is determined that access should be revoked, the system may revoke access to the one or more applications for the one or more users.

BACKGROUND

Companies often implement a plurality of different applications in theday-to-day functioning of the company. Providing access to thoseapplications and associated data is an important business function.Although providing access is important in order to enable employees tosuccessfully perform different work functions, revoking access upontermination of an employee, or other job change of an employee, is alsoan important function. Often, when employees leave a position,notifications are sent to various business groups, such as aninformation technology group, who may then revoke access to the one ormore applications to which the user had access. However, in somesituations, there can be significant delays in informing the variousbusiness groups, which can leave the company exposed to risk from formeremployees or other individuals who no longer need access to one or moreapplications, but still are able to access those applications.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

Aspects of the disclosure relate to computer-readable media, systems,and apparatuses for revoking access to one or more applications for oneor more individuals or users. In some examples, revocation settings maybe received from various different business divisions or enterprises orbusiness groups within an entity. The settings may be compiled to form astandardized set of revocation settings that may be applied across theentity. Accordingly, upon receiving an item that may be associated withaccess and, in some examples, may include one or more applications towhich access may be revoked and/or one or more users from which accessmay be revoked, the system may apply the standardized revocationsettings to determine whether access should be revoked. In someexamples, the determination may be made automatically upon receiving theitem. If it is determined that access should be revoked, the system mayrevoke access to the one or more applications for the one or more users.In some examples, access revocation may be performed automatically upondetermining that access should be revoked.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 illustrates an example operating environment in which variousaspects of the disclosure may be implemented.

FIG. 2 is an illustrative block diagram of workstations and servers thatmay be used to implement the processes and functions of certain aspectsof the present disclosure according to one or more aspects describedherein.

FIG. 3 illustrates an example access revocation system according to oneor more aspects described herein.

FIG. 4 is an example method of determining whether access to one or moreapplications for one or more users should be revoked, according to oneor more aspects described herein.

FIG. 5 is an example user interface that may display trackinginformation associated with analysis or evaluation of an item, accordingto one or more aspects described herein.

FIG. 6 is an example user interface providing additional details about aselected item according to one or more aspects described herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which the claimed subject matter may be practiced. It isto be understood that other embodiments may be utilized, and thatstructural and functional modifications may be made, without departingfrom the scope of the present claimed subject matter.

It is noted that various connections between elements are discussed inthe following description. It is noted that these connections aregeneral and, unless specified otherwise, may be direct or indirect,wired or wireless, and that the specification is not intended to belimiting in this respect.

Companies often have a plurality of applications which one or moreusers, such as employees, contractors, and the like, access during awork day to perform various work functions. Access to theseapplications, as well as data contained therein, may be restricted tousers who have a need to access the application or information (e.g.,their job or role requires access to the application to perform a workfunction, and the like). Accordingly, when a user who currently hasaccess leaves his or her job or position (e.g., if the employee isterminated, contract period ends, employee leaves the current positionfor another position within the same entity, or the like) access thatwas being provided to that user must be evaluated and, as needed,revoked (e.g., if the user is no longer employed by the entity, newposition does not include access to the application, or the like). Insome examples, revocation of access may include removing the user (e.g.,by name, employee number, or other unique identifier) from a listing ordatabase of users having access to the identified application.

Aspects described herein relate to an access revocation system that may,in some examples, automatically determine whether access to one or moreapplications for one or more users should be revoked and, in someexamples, may automatically revoke access. In some arrangements,applications in use in the entity may be inventoried to determineappropriate users for access, and the like. Further, data may bereceived from various sources, such as human resources, regarding theemployment status of one or more users.

Further, access revocation settings from various different enterprises,business groups, business divisions or the like, within the entity, maybe received and compiled. These settings may be automatically applied toan item received (e.g., a data element identifying one or moreapplications and/or one or more users for which access may be revoked)in order to determine, for instance, whether the item relates to access,whether the item is actionable, and/or whether the item is mapped to aconfirmed location, or the like. Based on these determinations, thesystem may automatically revoke access to the one or more applicationsfor the one or more users. These and various other aspects will bediscussed more fully below.

FIG. 1 depicts an illustrative operating environment in which variousaspects of the present disclosure may be implemented in accordance withone or more example embodiments. Referring to FIG. 1, computing systemenvironment 100 may be used according to one or more illustrativeembodiments. Computing system environment 100 is only one example of asuitable computing environment and is not intended to suggest anylimitation as to the scope of use or functionality contained in thedisclosure. Computing system environment 100 should not be interpretedas having any dependency or requirement relating to any one orcombination of components shown in illustrative computing systemenvironment 100.

Computing system environment 100 may include computing device 101 havingprocessor 103 for controlling overall operation of computing device 101and its associated components, including random-access memory (RAM) 105,read-only memory (ROM) 107, communications module 109, and memory 115.Computing device 101 may include a variety of computer readable media.Computer readable media may be any available media that may be accessedby computing device 101, may be non-transitory, and may include volatileand nonvolatile, removable and non-removable media implemented in anymethod or technology for storage of information such ascomputer-readable instructions, object code, data structures, programmodules, or other data. Examples of computer readable media may includerandom access memory (RAM), read only memory (ROM), electronicallyerasable programmable read only memory (EEPROM), flash memory or othermemory technology, compact disk read-only memory (CD-ROM), digitalversatile disks (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium that can be used to store the desired informationand that can be accessed by computing device 101.

Although not required, various aspects described herein may be embodiedas a method, a data processing system, or as a computer-readable mediumstoring computer-executable instructions. For example, acomputer-readable medium storing instructions to cause a processor toperform steps of a method in accordance with aspects of the disclosedarrangements is contemplated. For example, aspects of the method stepsdisclosed herein may be executed on a processor on computing device 101.Such a processor may execute computer-executable instructions stored ona computer-readable medium.

Software may be stored within memory 115 and/or storage to provideinstructions to processor 103 for enabling computing device 101 toperform various functions. For example, memory 115 may store softwareused by computing device 101, such as operating system 117, applicationprograms 119, and associated database 121. Also, some or all of thecomputer executable instructions for computing device 101 may beembodied in hardware or firmware. Although not shown, RAM 105 mayinclude one or more applications representing the application datastored in RAM 105 while computing device 101 is on and correspondingsoftware applications (e.g., software tasks), are running on computingdevice 101.

Communications module 109 may include a microphone, keypad, touchscreen, and/or stylus through which a user of computing device 101 mayprovide input, and may also include one or more of a speaker forproviding audio output and a video display device for providing textual,audiovisual and/or graphical output. Computing system environment 100may also include optical scanners (not shown). Exemplary usages includescanning and converting paper documents, e.g., correspondence, receipts,and the like, to digital files.

Computing device 101 may operate in a networked environment supportingconnections to one or more remote computing devices, such as computingdevices 141 and 151. Computing devices 141 and 151 may be personalcomputing devices or servers that include any or all of the elementsdescribed above relative to computing device 101. Computing devices 141or 151 may be a mobile device (e.g., smart phone) communicating over awireless carrier channel.

The network connections depicted in FIG. 1 may include local areanetwork (LAN) 125 and wide area network (WAN) 129, as well as othernetworks. When used in a LAN networking environment, computing device101 may be connected to LAN 125 through a network interface or adapterin communications module 109. When used in a WAN networking environment,computing device 101 may include a modem in communications module 109 orother means for establishing communications over WAN 129, such asInternet 131 or other type of computer network. The network connectionsshown are illustrative and other means of establishing a communicationslink between the computing devices may be used. Various well-knownprotocols such as transmission control protocol/Internet protocol(TCP/IP), Ethernet, file transfer protocol (FTP), hypertext transferprotocol (HTTP), hypertext transfer protocol secure (HTTPS), and thelike may be used, and the system can be operated in a client-serverconfiguration to permit a user to retrieve web pages from a web-basedserver. Any of various conventional web browsers can be used to displayand manipulate data on web pages.

The disclosure is operational with numerous other general purpose orspecial purpose computing system environments or configurations.Examples of well-known computing systems, environments, and/orconfigurations that may be suitable for use with the disclosedembodiments include, but are not limited to, personal computers (PCs),server computers, hand-held or laptop devices, smart phones,multiprocessor systems, microprocessor-based systems, set top boxes,programmable consumer electronics, network PCs, minicomputers, mainframecomputers, distributed computing environments that include any of theabove systems or devices, and the like.

FIG. 2 depicts an illustrative block diagram of workstations and serversthat may be used to implement the processes and functions of certainaspects of the present disclosure in accordance with one or more exampleembodiments. Referring to FIG. 2, illustrative system 200 may be usedfor implementing example embodiments according to the presentdisclosure. As illustrated, system 200 may include one or moreworkstation computers 201. Workstation 201 may be, for example, adesktop computer, a smartphone, a wireless device, a tablet computer, alaptop computer, and the like. Workstations 201 may be local or remote,and may be connected by one of communications links 202 to computernetwork 203 that is linked via communications link 205 to server 204. Insystem 200, server 204 may be any suitable server, processor, computer,or data processing device, or combination of the same. Server 204 may beused to process the instructions received from, and the transactionsentered into by, one or more participants.

Computer network 203 may be any suitable computer network including theInternet, an intranet, a wide-area network (WAN), a local-area network(LAN), a wireless network, a digital subscriber line (DSL) network, aframe relay network, an asynchronous transfer mode (ATM) network, avirtual private network (VPN), or any combination of any of the same.Communications links 202 and 205 may be any communications linkssuitable for communicating between workstations 201 and server 204 (e.g.network control center), such as network links, dial-up links, wirelesslinks, hard-wired links, as well as network types developed in thefuture, and the like. A virtual machine may be a software implementationof a computer that executes computer programs as if it were a standalonephysical machine.

FIG. 3 illustrates one example access revocation system 300 according toone or more aspects described herein. In some examples, the accessrevocation system 300 may be part of, internal to or associated with anentity 302. The entity 302 may be a corporation, university, governmententity, and the like. In some examples, the entity 302 may be afinancial institution, such as a bank. Although various aspects of thedisclosure may be described in the context of a financial institution,nothing in the disclosure shall be construed as limiting the accessrevocation system 300 to use within a financial institution. Rather, thesystem may be implemented by various other types of entities.

The access revocation system 300 may include one or more modules thatmay include hardware and/or software configured to perform variousfunctions within the system 300. In some examples, one or more moduleswithin system 300 may be in physically separate devices. In otherexamples, one or more modules within system 300 may be formed in asingle physical device or unit.

For instance, the access revocation system 300 may include an accessmodule 304. The access module 304 may include one or more databasesstoring information associated with various applications, as well asinformation associated with individuals permitted to access one or moreof the various applications. For instance, the entity 302 may implementone or more applications during the course of business. Applications mayinclude, for example, email or messaging applications, word processingapplications, data or file storage applications, and the like. Varioususers associated with the entity 302 (e.g., employees of the entity,contractors working within the entity, or the like) may be grantedpermission to access one or more of the applications. The permissionsmay be stored (in various arrangements, formats, or the like), forexample, in the access module 304. For instance, access module 304 mayinclude a listing of employees (by name, employee number or otheridentifier, or the like). Associated with each employee may be a list ofapplications to which the employee has access or permission to access.Should the employee terminate their employment, access or permission toaccess those applications may be revoked, as will be discussed herein.

The access module 304 may further include information or data associatedwith a status of each user. For instance, human resources or otherrecords may be used to identify a work status of a user (e.g., employedby the entity, terminated, or the like). In some examples, a role or jobposition, including particular duties associated with the role or jobposition may be stored. Thus, as a user moves from one position withinthe entity to another, the appropriate permissions to access one or moreapplications may be modified and/or stored within the access module 304.

Data associated with applications, users, human resources, and the like,stored or used by the access module 304 may be received from one or moresources, such as databases (not shown in FIG. 3). The one or moresources may be internal to (e.g., associated with) the entity 302, ormay be external to (e.g., not associated with) the entity 302.

The access revocation system 300 may further include a revocationsetting module 306. The revocation settings module 306 may receive oneor more access review process settings, such as from different businessdivisions or enterprises within the entity 302. For example, settingsfrom enterprise or division 1 308 a, enterprise or division 2 308 bthrough enterprise or division n 308 n may be received by the revocationsettings module 306. The access review process settings received mayinclude, in at least some examples, settings determined to be bestpractices of each enterprise or division. In some examples, the settingsreceived may be from different types of groups. For instance, somesettings may be received from an enterprise while some settings may bereceived from a division (e.g., a division within the enterprise, or thelike), business group, or the like. Thus, the settings received may becompiled by the revocation settings module 306 and applied to itemsreceived in order to filter out items associated with access, that areactionable, that are properly mapped, or the like, based on thesettings. The compiled settings may be a standardized set of revocationsettings that may be applied across the entity 302, as desired.

The access revocation system 300 may further include an item analysismodule 310. The item analysis module 310 may receive one or more items(such as items that appear to be associated with access, accessrevocation, or the like) and may automatically apply the compiledrevocation settings from the revocation settings module 306 to determinewhether the items are associated with access (e.g., to an application,data or the like), whether they are actionable (e.g., whether theappropriate system has received the item, whether an appropriate team isanalyzing the item, or the like), and/or whether they are mapped to aconfirmed location. In some examples, mapping to a confirmed locationincludes mapping of an application reference number to, for example, anaccess administrator, to a simplified sign-on (SSO) owner (e.g., forapplications with web enabled access), a division or enterprise accessmanagement team, an access management team from a division or enterpriseoutside the division or enterprise related to the item, and/or theaccess administrator for profiled access. Various other filters orcriteria may be applied to items received based on the revocationsettings without departing from the invention.

In some examples, the received one or more items may include anidentified one or more applications, an identified one or more users,and the like. Accordingly, the system 300 and, in particular, the itemanalysis module 310, may determine whether access to or permission toaccess the identified one or more applications should be revoked for theidentified one or more users. In at least some examples, revocation ofaccess or permission to access includes access that was previouslypermitted (e.g., access to one or more applications by one or moreusers) and now, based on the determination that access should berevoked, will no longer be permitted.

Once an item has been analyzed by the item analysis module 310, if theitem is, for example, associated with access, is actionable and ismapped to a confirmed location, the item may be transmitted to arevocation module 312. The revocation module 312 may automaticallyremove access or permission to access an identified one or moreapplications for the identified one or more users. Accordingly, theidentified one or more users may be unable to access to the identifiedone or more applications via a computing device, such as computingdevices 316 a-316 e. For instance, access to the identified one or moreapplication may be prevented on a smartphone 316 a, personal digitalassistance (PDA) 316 b, tablet computing device 316 c, cell phone 316 d,or other type of computing device 316 e.

If the item being analyzed by the item analysis module 310 does not meetthe criteria of the revocation settings, the item may be transmitted toa further processing module 314. In some examples, the furtherprocessing module 314 may direct the item to an administrator for manualprocessing, may redirect the item to another group or team within theentity 302 designated to handle those types of items, or the like.

In some examples, one or more modules within the access revocationsystem 300 may include tracking features in order to maintain a recordor log of items received, analysis performed, determinations made, andthe like. Accordingly, an audit trail may be established that may beused to track actions taken, confirm procedures and regulations arebeing followed, and the like.

These and various other arrangements will be discussed more fully below.

FIG. 4 illustrates one example method of determining whether access toor permission to access one or more applications for one or more usersshould be revoked, according to one or more aspects described herein. Instep 400, revocation settings may be received (e.g., by a revocationsettings module 306. The revocation settings may be received from one ormore different enterprises, business groups, business divisions, or thelike, within an entity implementing the system (e.g., entity 302 in FIG.3). The revocation settings may, in some examples, include bestpractices implemented by each of the different divisions, enterprises orbusiness groups from which the settings are received. Accordingly, thereceived settings also may be compiled in step 400, in order toimplement a standardized set of settings for revocation of access.

In step 402, an event or potential access revocation item is received.The event or item may, in some examples, including a plurality of eventsof items. The event or item may include one or more applicationsassociated with the item, one or more users associated with the item,and the like. The event or item may be received by, for instance, anitem analysis module (such as module 310 in FIG. 3) and may be analyzedor evaluated by the module, as is discussed more fully below. Althoughone item is discussed with respect to FIG. 4, a plurality of items maybe received by the system and evaluated or analyzed using the processesdescribed herein.

In step 404, a determination may be made as to whether the item isassociated with access to or permission to access one or moreapplications. For instance, the system may determine whether the itemreceived is associated with or related to revoking access to one orproviding/revoking access to one or more applications. Performing thisstep at or near the beginning of an access revocation process maygreatly reduce the amount of items being processed, evaluated, analyzed,or the like, by the system. This may aid in improving accuracy ofrevocation, reducing time elapsed between departure of an employee andrevocation, and may improve efficiency for the process overall.

If, in step 404, a determination is made that the item is not associatedwith access to or permission to access one or more applications, theitem may be removed from the process and/or transmitted for furtherprocessing in step 406. As discussed above, further processing mayinclude manually analyzing or researching the received item,transferring the item to another business group, team or systemassociated with the other business group or team, designated to handleitems of that nature, or the like.

If, in step 404, a determination is made that the item is associatedwith access to or permission to access one or more application, theprocess may proceed to step 408 where a determination is made as towhether the item can be actioned. For instance, step 408 may includedetermining whether the system is the appropriate system to handle theitem, whether the item is an item that can be processed automaticallyvia the system or whether additional action or processing may bedesired, or the like. In another example, the item may be reviewed todetermine whether it is related to compliance data or messages. Forinstance, data that indicates access a user does not have due to acategory or group of users with which the user is associated. If, instep 408, it is determined that the item is not actionable, the item maybe removed from the process and/or transmitted for further processing instep 406, similar to the arrangement discussed above.

If, in step 408, it is determined that the item is actionable, in step410, a determination may be made as to whether the item is mapped to aconfirmed location. As indicated above, mapping to a confirmed locationmay include mapping of an application reference number to, for instance,an access administrator, to a simplified sign-on (SSO) owner (e.g., forapplications with web enabled access), a division or enterprise accessmanagement team, an access management team from a division or enterpriseoutside the division or enterprise related to the item, and/or theaccess administrator for profiled access.

If, in step 410, the item is not mapped to a confirmed location, theitem may be removed from the process and/or transmitted for furtherprocessing in step 406, as discussed above. Alternatively, if, in step410, the item is mapped to a confirmed location, the item may be furtherprocessed and access identified in that item may be revoked in step 412.In some examples, access to the one or more applications identified inthe item for the one or more users identified in the item may beautomatically revoked (e.g., without additional input or interactionwith the system).

In some examples, some of the steps associated with the processillustrated in FIG. 4 may be performed in the order indicated in FIG. 4and described above. For instance, determining whether an item relatesto access may be performed as a first step in a filtering portion of theprocess, or at a point early in the process. This may aid in ensuringthat any items not related to access or access revocation will befiltered out early in the process in order to reduce the number of itemsbeing evaluated by the system.

As discussed above, the process of analyzing and/or evaluating an itemmay include maintaining a record or the analysis performed in order totrack the progress of the item through the system. Accordingly, analysisof the item, actions taken, and the like, may be tracked in order tomaintain a record of processing the item, confirm that procedures arebeing followed, and the like.

FIG. 5 illustrates one example user interface 500 that may displaytracking information associated with analysis or evaluation of an item,according to one or more aspects described herein. In column 502, one ormore items are displayed. The items are identified by an item number orother identifier. Column 504 includes a date and time associated witheach item. The date and time may indicate when the item was received,when the item was analyzed or evaluated, and/or when the analysis of theitem was completed. In some examples, an additional date and time columnmay be provided. In these arrangements, one date and time column may beused to identify a date and/or time that the item was received, whilethe second date and time column may indicate the date and time thatanalysis of the item was completed. Accordingly, a duration orprocessing time to complete the analysis of item may be provided ordetermined (e.g., based on the difference or time elapsed between thefirst column and the second column).

Column 506 indicates whether the identified item is associated withaccess (e.g., whether the identified item is associated with providingor revoking access associated with one or more applications for one ormore users). As discussed above, as an item is analyzed or evaluated,the determination is made as to whether the item is related to access.That determination may be displayed in column 506 for tracking purposes.

Column 508 indicates whether the identified item is actionable (e.g.,whether the identified item should be addressed by this particularsystem or team implementing the system, or the like). As discussedabove, as an item is analyzed or evaluated, the determination is made asto whether the item is actionable. That determination may be displayedin column 508 for tracking purposes.

Column 510 indicates whether the identified item is mapped to aconfirmed location. As discussed above, as an item is analyzed orevaluated, the determination is made as to whether an item is mapped toa confirmed location. That determination may be displayed in column 508for tracking purposes.

Column 512 provides the ultimate outcome of the analysis of each item.For instance, column 512 may indicate whether analysis of the itemresulted in revocation of access to one or more applications for one ormore users.

In some examples, a user may activate scrolling of the user interface500 in order to view additional items not displayed on the currentportion of the display. Accordingly, the user may activate slider bar514 or arrows 516 in order to scroll through additional items not shownin FIG. 5. The user may also select “CANCEL” option 518 if the userwould like to return to a previous screen, or “OK” option 520 to advanceto another user interface.

In some arrangements, selection of an item (or other piece of dataassociated with the item in, for instance, one of column 504-512) mayprompt display of an additional user interface, such as interface 600shown in FIG. 6. The user interface 600 may include additional detailsassociated with the selected item. For instance, interface 600 mayinclude the item identifier 602. Interface 600 may further includeregion 602 in which one or more applications related to the item areidentified. The applications may be applications for which revocation ofaccess is being evaluated.

Interface 600 may further include region 604 in which one or more usersassociated with the item are identified. The one or more users may beusers for which revocation of access to the identified one or moreapplications is being considered or evaluated. Selection of “OK” option606 may close user interface 600 and return the user to a previous userinterface, such as interface 500.

Although interface 600 is shown as overlaying the interface 500, in someexamples, interface 600 may be displayed without any portion ofinterface 500.

Further, the information provided in interfaces 500 and 600 are merelysome examples of information that may be tracked and/or displayed.Various other pieces or types of information may be displayed orprovided in one or more similar user interfaces without departing fromthe invention. For instance, employee number or other identifier, typeof employee (e.g., contractor or employee), business group of theemployee, type of application, and the like, may be provided in one ormore interfaces similar to interfaces 500 or 600 without departing fromthe invention.

Additionally or alternatively, the example information shown in the userinterface 500 of FIG. 5 may be sorted, filtered, or the like, accordingto desired criteria. For example, in order to simplify the data beingreviewed, a user may elect to sort the data to display only items forwhich access was revoked. In another example, a user may elect to sortthe data to display items having a “yes” entry in one or more of columns506, 508 and/or 510. In still another example, a user may elect to hideone or more rows in order to simplify viewing of the data. Various othersorting and/or filtering arrangements may be used without departing fromthe invention.

The systems, methods, apparatuses, and the like described herein aid inimproving accuracy and efficiency in revoking user access to one or moreapplications to which the user should no longer have access. Byperforming the steps of the methods described herein up front or at anearly stage in the process, the number of items (e.g., amount of data)being evaluated and/or analyzed is greatly reduced. This may aid inimproving speed of revocation (e.g., time between when a user's accessshould be revoked to when the revocation occurs). This can be animportant factor in reducing risk associated with users (e.g., formeremployees, or the like) having access after termination of theiremployment.

Further, by reducing the amount of items to be processed for revocation(e.g., by implementing the filtering steps described herein) moreaccurate revocations can be made (e.g., inadvertently revoking accessfor users who should have access, or the like).

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, or an embodiment combining software and hardware aspects.Any and/or all of the method steps described herein may be embodied incomputer-executable instructions stored on a computer-readable medium,such as a non-transitory computer readable medium. Additionally oralternatively, any and/or all of the method steps described herein maybe embodied in computer-readable instructions stored in the memory of anapparatus that includes one or more processors, such that the apparatusis caused to perform such method steps when the one or more processorsexecute the computer-readable instructions. In addition, various signalsrepresenting data or events as described herein may be transferredbetween a source and a destination in the form of light and/orelectromagnetic waves traveling through signal-conducting media such asmetal wires, optical fibers, and/or wireless transmission media (e.g.,air and/or space).

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one of ordinary skill in the art willappreciate that the steps illustrated in the illustrative figures may beperformed in other than the recited order, and that one or more stepsillustrated may be optional in accordance with aspects of thedisclosure. Further, one or more aspects described with respect to onefigure or arrangement may be used in conjunction with other aspectsassociated with another figure or portion of the description.

What is claimed is:
 1. An apparatus, comprising: at least one processor;and a memory storing computer-readable instructions that, when executedby the at least one processor, cause the apparatus to: receive firstrevocation settings from a first enterprise within a business entity;receive second revocation settings from a second enterprise within thebusiness entity; compile the first revocation settings and the secondrevocation settings to generate compiled revocation settings; receive afirst item associated with a revocation of access for a user within thebusiness entity, the first item including identification of one or moreapplications for which revocation of access is being evaluated andidentification of one or more users for which revocation of access isbeing evaluated; analyze the first item based on the compiled revocationsettings, the analyzing further including instructions that, whenexecuted, cause the apparatus to: determine, based on the compiledrevocation settings, whether the first item is actionable by the accessrevocation system; and determine, based on the compiled revocationsettings, whether the first item is mapped to a confirmed location; andresponsive to determining that the first item is actionable and that thefirst item is mapped to a confirmed location, revoke access to the oneor more applications identified in the first item for the one or moreusers identified in the first item.
 2. The apparatus of claim 1, furtherincluding instructions that, when executed, cause the apparatus to:record an outcome of the steps of determining whether the first item isactionable and determining whether the first item is mapped to aconfirmed location.
 3. The apparatus of claim 2, further includinginstructions that, when executed, cause the apparatus to: store therecorded outcomes for further analysis.
 4. The apparatus of claim 2,further including instructions that, when executed, cause the apparatusto: display the recorded outcomes on a user interface tracking theanalysis of the first item.
 5. The apparatus of claim 1, furtherincluding instructions that, when executed, cause the apparatus to:responsive to determining that the first item is not actionable, removethe first item from further analysis including the step of determiningwhether the first item is mapped to a confirmed location.
 6. Theapparatus of claim 5, wherein removing the first item from furtheranalysis includes transferring the first item for further processing. 7.The apparatus of claim 1, wherein the first revocation settings are bestpractices of the first enterprise and the second revocation settings arebest practices of the second enterprise.
 8. A method, comprising:receiving, by an access revocation system having at least one processor,first revocation settings from a first enterprise within a businessentity; receiving, by the access revocation system, second revocationsettings from a second enterprise within the business entity; compilingthe first revocation settings and the second revocation settings togenerate compiled revocation settings; receiving, by the accessrevocation system, a first item associated with a revocation of accessfor a user within the business entity, the first item includingidentification of one or more applications for which revocation ofaccess is being evaluated and identification of one or more users forwhich revocation of access is being evaluated; analyzing the first itembased on the compiled revocation settings, the analyzing including:determining, based on the compiled revocation settings, whether thefirst item is actionable by the access revocation system; anddetermining, based on the compiled revocation settings, whether thefirst item is mapped to a confirmed location; and responsive todetermining that the first item is actionable and that the first item ismapped to a confirmed location, revoking access to the one or moreapplications identified in the first item for the one or more usersidentified in the first item.
 9. The method of claim 8, furtherincluding, recording an outcome of the steps of determining whether thefirst item is actionable and determining whether the first item ismapped to a confirmed location.
 10. The method of claim 9, furtherincluding storing the recorded outcomes for further analysis.
 11. Themethod of claim 9, displaying the recorded outcomes on a user interfacetracking the analysis of the first item.
 12. The method of claim 8,further including, responsive to determining that the first item is notactionable, removing the first item from further analysis including thestep of determining whether the first item is mapped to a confirmedlocation.
 13. The method of claim 12, wherein removing the first itemfrom further analysis includes transferring the first item for furtherprocessing.
 14. The method of claim 8, wherein the first revocationsettings are best practices of the first enterprise and the secondrevocation settings are best practices of the second enterprise.
 15. Oneor more non-transitory computer-readable media havingcomputer-executable instructions stored thereon that, when executed,cause at least one computing device to: receive first revocationsettings from a first enterprise within a business entity; receivesecond revocation settings from a second enterprise within the businessentity; compile the first revocation settings and the second revocationsettings to generate compiled revocation settings; receive a first itemassociated with a revocation of access for a user within the businessentity, the first item including identification of one or moreapplications for which revocation of access is being evaluated andidentification of one or more users for which revocation of access isbeing evaluated; analyze the first item based on the compiled revocationsettings, the analyzing further including instructions that, whenexecuted, cause the apparatus to: determine, based on the compiledrevocation settings, whether the first item is actionable by the accessrevocation system; and determine, based on the compiled revocationsettings, whether the first item is mapped to a confirmed location; andresponsive to determining that the first item is actionable and that thefirst item is mapped to a confirmed location, revoke access to the oneor more applications identified in the first item for the one or moreusers identified in the first item.
 16. The one or more non-transitorycomputer-readable media of claim 15, further including instructionsthat, when executed, cause the at least one computing device to: recordan outcome of the steps of determining whether the first item isactionable and determining whether the first item is mapped to aconfirmed location.
 17. The one or more non-transitory computer-readablemedia of claim 16, further including instructions that, when executed,cause the at least one computing device to: display the recordedoutcomes on a user interface tracking the analysis of the first item.18. The one or more non-transitory computer-readable media of claim 15,further including instructions that, when executed, cause the at leastone computing device to: responsive to determining that the first itemis not actionable, remove the first item from further analysis includingthe step of determining whether the first item is mapped to a confirmedlocation.
 19. The one or more non-transitory computer-readable media ofclaim 18, wherein removing the first item from further analysis includestransferring the first item for further processing.
 20. The one or morenon-transitory computer-readable media of claim 15, wherein the firstrevocation settings are best practices of the first enterprise and thesecond revocation settings are best practices of the second enterprise.